I need some implementation guidance, I have an AngularJS client with ASP.NET Web API on the server-side. Here are some questions: 1. I have implemented Implicit flow where I'm able to get the id_token and access_token from the IdentityServer. I would like to know if we can implement Hybrid flow that allows refresh-tokens? 2) What's the right way to handle session management on a JavaScript client?
Implicit flow dows not support refresh tokens. Authorization Flow does, but should not be used on Javascript clients in websites. This can be used for native apps on mobile devices.
Here is an article on why you shouldn't use Implicit Flow on mobile devices.